The document discusses Microsoft's PaaS solutions for regulated workloads, highlighting the importance of regulatory compliance for financial services. It outlines Azure's comprehensive compliance coverage, detailing its extensive list of supported regulations and security measures. Key features include perimeter security, identity management, and monitoring tools, which aid in maintaining a secure cloud environment for financial institutions transitioning to the cloud.

1. PaaS Solutions for Regulated Workloads
DogFoodCon
Jeremy Gray
Microsoft
Cloud Solution Architect, Financial Services
10/5/2018

2. © Microsoft Corporation
Introduction

3. © Microsoft Corporation
Contents
## Introduction
## Applicable Service Updates
## Overview
## Perimeter Security
## Identity and Access Management
## Vulnerability Management
## Logging and Monitoring
## Resource Governance

4. © Microsoft Corporation
Leading edge
regulatory compliance
capabilities
empowering
financial services
Customers are moving!
90% of the "Too Big to Fail” financial institutions
are now committed to the Microsoft Cloud…
Institution is
accountable & in control
Regulator
Right to Examine
Over 100 financial services regulators
engaged in last 4 years“The cloud is inevitable…
But right now the timing
isn’t right.”
“Tell me how to get
there in a safe &
regulatory
compliant way…”
TODAY…
FIVE YEARS AGO…
Microsoft Confidential 4
Online
Services
(All Customers)
Financial
services
Amendment
(FS Only)
Financial Services
Compliance
Program
(FS Only)

5. © Microsoft Corporation
USGovGlobalRegionalIndustry
Azure covers 72 compliance offerings
Azure has the deepest and most comprehensive compliance coverage in the industry
 ISO 27001:2013
 ISO 27017:2015
 ISO 27018:2014
 ISO 22301:2012
 ISO 9001:2015
 ISO 20000-1:2011
 SOC 1 Type 2
 SOC 2 Type 2
 SOC 3
 CSA STAR Certification
 CSA STAR Attestation
 CSA STAR Self-Assessment
 WCAG 2.0 (ISO
40500:2012)
 FedRAMP High
 FedRAMP Moderate
 EAR
 DoE 10 CFR Part 810
 NIST SP 800-171
 NIST CSF
 Section 508 VPATs
 FIPS 140-2
 ITAR
 CJIS
 IRS 1075
 PCI DSS Level 1
 GLBA
 FFIEC
 Shared Assessments
 FISC (Japan)
 APRA (Australia)
 FCA (UK)
 MAS + ABS (Singapore)
 23 NYCRR 500
 HIPAA BAA
 HITRUST
 21 CFR Part 11 (GxP)
 MARS-E
 NHS IG Toolkit (UK)
 NEN 7510:2011 (Netherlands)
 FERPA
 CDSA
 MPAA
 DPP (UK)
 FACT (UK)
 SOX
 Argentina PDPA
 Australia CCSL / IRAP
 Canada Privacy Laws
 China GB 18030:2005
 China DJCP (MLPS) Level 3
 Singapore MTCS Level 3
 Spain ENS
 Spain DPA
 UK Cyber Essentials Plus
 UK G-Cloud
 UK PASF
 China TRUCS / CCCPPF
 EN 301 549
 EU ENISA IAF
 EU Model Clauses
 EU – US Privacy Shield
 Germany C5
 DFARS
 DoD DISA SRG Level 5
 DoD DISA SRG Level 4
 DoD DISA SRG Level 2
 Germany IT-Grundschutz workbook
 India MeitY
 Japan CS Mark Gold
 Japan My Number Act
 Netherlands BIR 2012
 New Zealand Gov CC Framework
https://aka.ms/AzureCompliance

6. © Microsoft Corporation
Resources

7. © Microsoft Corporation
All offers and claims are void
No warranty expressed or implied
Compliance is more than technical
controls
The Trust Center is your friend
Disclaimer

8. © Microsoft Corporation
This is why I think PaaS is a compelling option for regulated workloads, it contracts away your responsibility.
Customer Responsibility Model
IaaS PaaS SaaS
App Configuration Azure Customer Azure Customer Azure Customer
Application Azure Customer Azure Customer Azure
Platform Azure Customer Azure Azure
OS Azure Customer Azure Azure
Network Azure Azure Azure

9. Risk management across service models
On-Prem IaaS PaaS SaaS
Data classification and accountability
Client & end-point protection
Identity & access management
Application level controls
Network controls
Host Infrastructure
Physical Security
Provider management of risk
Physical | Networking
Customer management of risk
Data Classification and data accountability
9

10. © Microsoft Corporation
http://aka.ms/fsiblueprint

11. © Microsoft Corporation
Azure changes every week and some amazing updates have happened since the publishing of this blueprint.
Services Updates
Service Endpoints
You can isolate ingress into the following PaaS
services to a specific Azure vNet.
• Azure Storage
• Azure SQL Database
• Azure Database for PostgreSQL
• Azure Database for MySQL
• Azure CosmosDB
• Azure Key Vault
• Azure SQL Data Warehouse
• Azure Service Bus
• Azure Event Hubs
• Azure Monitor
Product Updates
• Global vNet peering
• P2 JIT access
• Azure Policy
• Azure SQL Data retention
• App Service vNet integration
• Add more
New Products
• Azure Security Center
• Compliance Manager
• Azure DDos Protection
• Managed Service Identity
• AKS
• Immutable Storage
• Azure Firewall
• Add more

12. © Microsoft Corporation
Overview
Azure Key Vault
Azure Storage
Operations
Management Suite
Microsoft Azure
Azure
Active Directory
Azure
Monitor
Systems
engineering
Workload Identity, secrets & access management
System health monitoring
Storage Networking
ExpressRoute VPN
Gateway
Suggested
connection
mechanisms to
Azure
Azure DNS
Network
security groups
Web App
Firewall
Application
Gateway
Resource
group
Users
CNAME record:
custom domain to
Application Gateway
hostname
Azure management
portal
Key
Public
Encrypted in Azure
App Service
Automation
Application
Insights
Azure
Runbooks
TLS
TLS
Azure Security
Center
Load
Balancer
WebApp
worker pools
WebApp
Azure SQL
Database

13. © Microsoft Corporation
Whoa

14. © Microsoft Corporation
Perimeter Security - Applications
Microsoft Azure
Web App
Firewall
Application
Gateway
AzureFirewallSubnet
Users
TLS
Resource
group
App Service
Load
Balancer Web App
Function App
subnet-ase-app
Application Insights
My
Virtual
network
Azure SQL
Azure Key Vault
Blob StorageAzure Firewall
Service
Endpoint
subnet-gateway
User Defined Route (UDR)
resource + region tag
Service
Endpoint
Service
Endpoint

15. © Microsoft Corporation
Perimeter Security - Operations
Systems
engineering
DevOps
Administrator
subnet-bastion
Bastion Host
VM Extensions
1. OMS Agent
2. Antimalware
Microsoft Azure
subnet-ase-app
subnet-other-vm
subnet-build-agents*
Management Portal
Command Line Interface

16. Just in Time
Access
Audit-ready
Just Enough
Access
Privileged Admin
Workflow
Azure AD Privileged Identity Management

17. © Microsoft Corporation

18. © Microsoft Corporation

19. © Microsoft Corporation
Feel Better?

20. © Microsoft Corporation
• Web Application Firewall
• Hardened VM Images via Azure marketplace
• Azure Security Center
• Anti-malware extension
• Intrusion Detection System (IDS)
• File Integrity Monitoring (FIM)
• Azure Monitor (formerly known as OMS)
• Log Monitoring and Alerting
Vulnerability Management

21. © Microsoft Corporation
Azure Security Center

22. © Microsoft Corporation
Configure Data Collection

23. © Microsoft Corporation
Configure Policy – Policy Per Subscription

24. © Microsoft Corporation
Configure Policy – Management Groups

25. © Microsoft Corporation
Azure Monitor

26. Metrics
Logs
Application Container VM Monitoring
Solutions
Insights
Dashboards Views Power BI Workbooks
Visualize
Metrics Explorer Log Analytics
Analyze
Alerts Autoscale
Respond
Event Hubs Ingest &
Export APIs
Logic Apps
Integrate
Azure Monitor
Custom Sources
Application
Operating System
Azure Resources
Azure Subscription
Azure Tenant
Logging

27. Management Solutions – From Marketplace

28. Jump to Application Map or VM Map
Monitor health state of all resources
Drill down into failures or perf issues
See alerts firing across app & infra

29. Monitor ExpressRoute connectivity
to virtual networks and O365
Secure and audit your network with
Network Watcher Traffic Analytics
Monitor connectivity to LoB apps
with Service Connectivity Monitor
Discover and monitor ExpressRoute
circuits, across subscriptions

30. Configure Pre- or Post-Deployment
Quality Gates in Azure Pipelines
Native IDE integrations in VS (.NET)
and VS Code (Node.js)
Run Load Test or Multi-Step Web Test
for Synthetic Perf Monitoring
Onboard with Azure Pipelines Release
Management & DevOps Projects
Continuous Monitoring for DevOps & IT Ops
Work Item Management with Azure
Boards for filing bugs and tracking
Alerts & Notifications with automated
actions & ITSM integrations

31. Integrate your existing APM/Monitoring
solutions with Azure Monitor
Azure Monitor is best for Azure, and
provides both APM & SIEM capabilities
Route telemetry to your SIEM solutions
for analytics & security management
Open and extensible to continue using
your favorite tools & solutions
Integration with Monitoring & SIEM Tools

32. Integrate your existing APM/Monitoring
solutions with Azure Monitor
Azure Monitor is best for Azure, and
provides both APM & SIEM capabilities
Route telemetry to your SIEM solutions
for analytics & security management
Open and extensible to continue using
your favorite tools & solutions
Integration with Monitoring & SIEM Tools

33. © Microsoft Corporation
Azure Compliance Manager
Launched through Service Trust Portal

34. © Copyright Microsoft Corporation. All rights reserved.

35. Common Thread in Security Incidents
SPEAR PHISHING
EMAIL
EXPLOIT KIT
or
INFECT
USER
MOVE ACROSS
THE NETWORK
INFECT THE
DATA CENTER
ADVERSARY
COMMANDS STEAL
DATA

36. Common Thread in Security Incidents on Public Clouds
SPEAR PHISHING
EMAIL
EXPLOIT KIT
or
INFECT USER MOVE ACROSS
INFRASTRUCTURE
ADVERSARY
COMMANDS STEAL
DATA
$
INCREASE
COSTS
EXPLOIT APPS & SERVICES ON
CLOUD INFRASTRUCTURE
HUMAN
ERRORS
DISRUPT
APPS & SERVICES